If your firm is a MiFID-authorized investment manager with EU operations, you will receive material compliance obligations from at least four separate sources: the European Commission (via Level 1 legislation), ESMA (via technical standards and guidance), the ECB or national central banks (if you hold banking authorizations), and your national competent authority — the AMF in France, BaFin in Germany, or whichever NCA supervises your EU entity. Monitoring one of those sources is not sufficient. And understanding which body is responsible for which publication type is the foundation of any functional EU regulatory change management process.
This piece breaks down the mandate and publication patterns of ESMA, EBA, ECB, and NCAs — and explains the interaction effects between them that create compliance blind spots for cross-border financial firms.
ESMA: the capital markets layer
The European Securities and Markets Authority has direct supervisory authority over specific entities (credit rating agencies and trade repositories), but for most firms its primary impact is through the regulatory standards it develops and the guidance it publishes under EU securities law.
ESMA produces three types of output that compliance teams need to track differently:
Binding technical standards (RTS and ITS): Regulatory Technical Standards and Implementing Technical Standards are developed by ESMA under mandates in EU legislation (MiFID II, EMIR, CSDR, SFDR, etc.) and then adopted by the European Commission as delegated or implementing regulations. Once published in the Official Journal, they carry the force of EU law. These are the highest-priority ESMA publications: they create binding obligations and have specific effective dates. A MiFID II RTS amending best execution reporting requirements is a compliance obligation, not a recommendation.
Guidelines and recommendations: ESMA publishes guidelines under Article 16 of its founding regulation. Financial firms in scope must "make every effort to comply" with ESMA guidelines — a standard that falls short of binding legal obligation but that NCAs enforce. An ESMA guideline on ESG rating transparency may not technically be a regulation, but your NCA supervisor will expect you to have implemented it, and an examination that reveals you have not is a supervisory finding. The distinction matters for how you log and track it, but not for whether you act on it.
Q&As and opinions: ESMA publishes Q&As on major pieces of legislation (MiFID II Q&A, EMIR Q&A, etc.). These clarify how ESMA interprets specific provisions and are updated periodically. They are not binding but are highly influential in supervisory practice. A Q&A update clarifying the scope of a position limits regime affects every commodities trading firm in scope, even though it is not a new rule.
EBA: the banking and payments layer
The European Banking Authority has a similar structure but a different scope: it focuses on banking, payment services, and anti-money laundering. For fintechs and payment institutions operating in the EU, EBA output is frequently more directly relevant than ESMA.
EBA's binding instruments follow the same RTS/ITS structure as ESMA: technical standards are developed by EBA, endorsed by the European Commission, and published in the Official Journal. The key EBA domains for cross-border financial services compliance are: capital requirements (CRD/CRR), payment services (PSD2/PSD3), AML (AMLD6 and the new EU AML Authority framework), operational resilience (DORA), and consumer protection in retail banking products.
EBA also publishes guidelines with the "comply or explain" standard — NCAs must either incorporate EBA guidelines into their supervisory practice or explain to EBA why they have not. In practice, most EBA guidelines are adopted by NCAs across the EU, which means they effectively function as binding requirements for firms supervised by those NCAs.
A point that confuses many compliance teams: ESMA and EBA sometimes produce joint publications on topics that span both mandates. AML is the clearest example — both authorities have issued joint guidelines on AML risk factors for the financial sector. Those joint publications require monitoring both channels. A team that monitors only ESMA and misses the joint EBA/ESMA product has a gap in its AML regulatory tracking.
ECB: the systemic risk and monetary layer
The European Central Bank's supervisory role (through the Single Supervisory Mechanism) covers significant institutions directly and other institutions indirectly. ECB Banking Supervision publishes supervisory priorities, expectations, and thematic reviews that affect the compliance programs of ECB-supervised banks.
For most non-bank financial firms — fintechs, payment institutions, investment managers — ECB publications are relevant primarily as context and forward signal rather than as direct obligation. However, if your firm operates a banking subsidiary that is an ECB-supervised institution, ECB supervisory expectations are direct compliance input. And for any firm with significant counterparty relationships with ECB-supervised banks, the ECB's supervisory thematic reviews (on credit risk, operational resilience, data governance) signal what your banking partners will be asked about — which affects how they structure their third-party requirements.
National Competent Authorities: where supervisory expectations become local reality
This is where the monitoring complexity multiplies for multi-entity EU groups. An investment manager with a French AIFM authorization (supervised by AMF) and a German MIFID entity (supervised by BaFin) is monitoring ESMA, EBA, and two NCAs — each of which can publish local guidance, impose supervisory expectations beyond EU baseline standards, and issue firm-specific or sector-specific communications that carry practical compliance weight.
The AMF publishes its own doctrine (positions, recommendations, guides) that supplements EU-level requirements for French-supervised firms. BaFin publishes circulars and guidance documents that establish local supervisory expectations. In neither case does EU-level monitoring cover these local publications.
We are not saying every NCA publication requires an update to your policies. Many NCA documents clarify or interpret existing requirements rather than adding new ones. But the monitoring gap is real: a cross-border compliance team that covers ESMA and EBA but omits the NCA layer is missing the local supervisory interpretation that will be used when your entity is examined.
The interaction effects that create compliance blind spots
Here is a concrete example of how the layers interact in a way that traps teams monitoring only one level. Under MiFID II, transaction reporting is governed by: the Level 1 text (Article 26 of MiFIR), an RTS published by ESMA and adopted by the Commission (Commission Delegated Regulation 2017/590), periodic ESMA Q&A updates clarifying specific scenarios, and your NCA's own supervisory positions on local implementation. An update to the ESMA Q&A that changes how firms should report certain OTC derivatives affects every MiFIR-reporting firm in the EU — but it is published as a Q&A update on the ESMA website, not as a new delegated regulation, and it will not appear in a monitoring feed that only covers the Official Journal.
This is the structural challenge: the EU regulatory publication ecosystem is a layered system where binding law, binding technical standards, non-binding guidelines, and interpretive Q&As all affect compliance programs — but they are published through different channels, with different legal status, and on different timescales. A monitoring process that covers only the Official Journal captures roughly the top layer of that stack.
Building a monitoring process that covers the stack
The practical monitoring approach for a mid-size cross-border firm with EU operations has to operate at multiple levels simultaneously. For ESMA and EBA, that means tracking the technical standards register, the guidelines register, and the Q&A pages for each major piece of legislation in scope. For NCAs, it means having a monitoring feed for each NCA that supervises one of your entities — usually the NCA's own publications page or a feed that aggregates it.
The volume challenge is real: a firm with EU, UK, US, and APAC operations may need to monitor 15 to 20 distinct publication channels to cover the regulatory stack for all its entities. That is not a number that any individual analyst can sustain through manual checks. It is the number that requires either a dedicated monitoring function or a platform that consolidates those channels into a structured feed — filtered to what is relevant to your firm's specific authorization types and business activities.
What does not work is monitoring European regulation as if it were a single channel. The firms that end up with compliance gaps in EU regulatory tracking are the ones that treat "EU regulation" as a monolithic source and subscribe to a single digest, not the ones that have built a layered monitoring process calibrated to the actual publication structure of the EU regulatory ecosystem.